Code for Satori malware posted on Pastebin

The code behind Satori malware which is a variant of infamous Mirai DDoS malware has been published online. According to NewSky Security’s principal researcher, Ankit Anubhav the code was posted on Pastebin over Christmas.

Satori

Initially, the code pushed Satori which means “awakening” in the Japanese and Brickerbot malware to hijack thousands of (Internet of Things) IoT devices on November 27, 2017, including Huawei routers and more than 280,000 different IP addresses.

Brickerbot was discovered in April last yearconducting PDoS(Permanent Denial Of Service) and literally destroying IoT devices around the world. Now that the malware code behind Satori botnet has been leaked online it can allow hackers to cause havoc by conducting large-scale distributed denial-of-service (DDoS) attacks.

“The proof of concept code was not made public to prevent attackers from abusing it. However, with the release of the full code now by the threat actor, we expect its usage in more cases by script kiddies and copy-paste botnet masters,” said Anubhav in ablog post.

A snippet of leaked working exploit code shared by NewSky Security.

In order to avoid misuse, NewSky Security has decided not to share the link to the leaked code.

Attacking Huawei devices

Satori was originally identified by Israeli endpoint security providerCheckpointduring a zero-day attack exploiting a vulnerability(CVE-2017–17215) in Huawei HG532 devices. The company reported the issue to Huawei who confirmed the presence of this vulnerability and stated in itssecurity advisorythat: “An authenticated attacker could send malicious packets to port 37215 to launch attacks. A successful exploit could lead to the remote execution of arbitrary code.”

Who is behind Satori?

Although the nationality of the culprit behind Satori is unclear Checkpoint researchers believe the botnet is highly sophisticated and found connections between Satori and a HackForum member Nexus Zeta whose last post on the forum was about Mirai malware.

Image credit: Checkpoint

Researchers also found command & control domain (nexusiotsolutions[.]net) of the malware that was registered on nexuszeta1337@gmail[.]com email address. Moreover, they found Nexus Zeta’s Twitter and Github accounts on which the member was once again talking about Mirai malware.

HACKREAD is a News Platform that centers on InfoSec, Cyber Crime, Privacy, Surveillance and Hacking News with full-scale reviews on Social Media Platforms & Technology trends. Founded in 2011, HackRead is based in Milan, Italy.